The GDPR introduces mandatory breach notification - breaches must be reported to the Office of the Data Protection Commissioner (ODPC) within 72 hours, unless the personal data affected was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned.
Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
All breaches or suspected breaches should therefore be reported to the University’s Data Protection Officer without delay for assessment.
What is a "data breach"?
The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
For example, an unauthorised/accidental:
Data breaches may occur in a variety of contexts, such as:
If a data breach/suspected data breach is identified, please take the following steps WITHOUT DELAY:
last updated 13 March 2019